#33751 SQLite "Magellan" vulnerability

Message #24 received at 33751-done@debbugs.gnu.org (full text, mbox, reply):

Received: (at 33751-done) by debbugs.gnu.org; 25 Dec 2018 18:11:59 +0000
From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 25 13:11:59 2018
Received: from localhost ([127.0.0.1]:36418 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1gbrBG-00071N-3C
	for submit@debbugs.gnu.org; Tue, 25 Dec 2018 13:11:57 -0500
Received: from mail-pg1-f193.google.com ([209.85.215.193]:38244)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alexvong1995@gmail.com>) id 1gbrBD-00071A-IT
 for 33751-done@debbugs.gnu.org; Tue, 25 Dec 2018 13:11:48 -0500
Received: by mail-pg1-f193.google.com with SMTP id g189so6731542pgc.5
 for <33751-done@debbugs.gnu.org>; Tue, 25 Dec 2018 10:11:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:user-agent:mime-version;
 bh=7VGRo//ApnirIDI+BjwBaiSU/Wrdmcc7NIIsBXL5XXY=;
 b=KP5U9F4A1hGHazf+8QGyeZ1U7OOCVIwNEdYJfZkJ92ECip0Yc/mhCsBO+eJnfCbfEz
 wl7mUSwPBY3grmZDxjFQmZxdgEW9jBkKscvyHTcBXHTTDhrhwk9RWklIy0jZ6BGsxAnO
 Q64CpdRixsi/SnH9YQl4F87YKpRviguqGnJSTnoKhQzOosk3AWReieVTNQqwA57/Q35K
 g7y6g+WASQhRZvpxkI8avV/zQa4/i0zetuTLaR4TjQp0WeWgWv6oWjjc9Bj1MjVRg1dz
 3yMCLq6Cs9K3jfcaNrKBqvg8MbpcD+gev1QSYFXytlvOyqV7FPcGdzKpAqRY7s7GikCr
 7H/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:user-agent
 :mime-version;
 bh=7VGRo//ApnirIDI+BjwBaiSU/Wrdmcc7NIIsBXL5XXY=;
 b=BO+tqPTK0QLvcR1ltWht2WDS0kuSfseIvwaOs6mT9O6sAGT/3HMoB92JkWmo4M2BN3
 5B+alfjVmb2MiElMBhmvt09mqNRdJtpezXdlhB+OQsumYpBbmb58f6AwquVHiZ6ckdt6
 RUC+UYCOMgl4DvtMrEuspqb99JnsMbdvmSRPnA5xNeP6rVeVTWmy355RR+DWzwtrKd0o
 jvLNzZMaZsHIBL3uP5sdneWZZiaHHNdPEW6t+y1AWb4k8gF7xZQabNzZjfynEql81QdZ
 lTRJKPkdEbm8USfOLUsnEH27AYsrOzo12M8qE1er9CFZ8XJW0FhZtXHIKrVhuTfHDkWK
 K+Hw==
X-Gm-Message-State: AA+aEWYDsy19yst5yw6M2GB75ZNkOj12K81cxrPpSDoHGouPW58dxw1w
 qgqdNcxi3AvSfJiGJfCWZLw=
X-Google-Smtp-Source: AFSGD/W8GDLvm7Z6yoqFjNYZpL39c+2x/+7NySuOs3iur+vhipJ6vbRSlt1N6tXjuW9fMefj5Rb21g==
X-Received: by 2002:a62:5910:: with SMTP id n16mr17248803pfb.128.1545761501799; 
 Tue, 25 Dec 2018 10:11:41 -0800 (PST)
Received: from debian (n058152178060.netvigator.com. [58.152.178.60])
 by smtp.gmail.com with ESMTPSA id 125sm42352747pfg.39.2018.12.25.10.11.40
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Tue, 25 Dec 2018 10:11:40 -0800 (PST)
From: Alex Vong <alexvong1995@gmail.com>
To: 33751-done@debbugs.gnu.org
Subject: [GNU bug Tracking System] bug#33783: closed (Re: [bug#33783] [PATCH]
 gnu: sqlite: Replace with 3.26.0 [security fixes].)
Date: Wed, 26 Dec 2018 02:11:28 +0800
Message-ID: <87pntppjcf.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="====-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 33751-done
Cc: alexvong1995@gmail.com
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

[Message part 1 (text/plain, inline)]

Closing as patch was appied

[Message part 2 (message/rfc822, inline)]

From: help-debbugs@gnu.org (GNU bug Tracking System)

To: Alex Vong <alexvong1995@gmail.com>

Subject: bug#33783: closed (Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].)

Date: Mon, 24 Dec 2018 09:36:02 +0000

[Message part 3 (text/plain, inline)]

Your bug report

#33783: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 33783@debbugs.gnu.org.

-- 
33783: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=33783
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

[Message part 4 (message/rfc822, inline)]

From: Efraim Flashner <efraim@flashner.co.il>

To: 33783-done@debbugs.gnu.org

Subject: Re: [bug#33783] [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].

Date: Mon, 24 Dec 2018 11:35:36 +0200

[Message part 5 (text/plain, inline)]

Patch was pushed as 38abef124bc18d3834eb12352a974b6143f62e97

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[signature.asc (application/pgp-signature, inline)]

[Message part 7 (message/rfc822, inline)]

From: Alex Vong <alexvong1995@gmail.com>

To: guix-patches@gnu.org

Cc: alexvong1995@gmail.com

Subject: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].

Date: Tue, 18 Dec 2018 10:53:19 +0800

[Message part 8 (text/plain, inline)]

Tag: security

Hello,

This patch grafts sqlite to its latest version. It also changes all the
sqlite-* packages to use 'package/inherit' so that they get the
replacement as well. See <https://bugs.gnu.org/33751> for details.

[0001-gnu-sqlite-Replace-with-3.26.0-security-fixes.patch (text/x-diff, inline)]

From 9d0fae1e1fa2fc13bd794bb2dbeb89750c772cfb Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Tue, 18 Dec 2018 10:36:52 +0800
Subject: [PATCH] gnu: sqlite: Replace with 3.26.0 [security fixes].

Fixes <https://bugs.gnu.org/33751>.
Reported by Marius Bakke <mbakke@fastmail.com>.

* gnu/packages/databases.scm (sqlite-3.26.0): New public variable.
(sqlite)[replacement]: Use it.
(sqlite-with-fts5): Use 'package/inherit'.
(sqlite-with-column-metadata): Likewise.
---
 gnu/packages/databases.scm | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 0fa6d451e..78d9a6739 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -24,7 +24,7 @@
 ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
 ;;; Copyright © 2017 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
+;;; Copyright © 2017, 2018 Alex Vong <alexvong1995@gmail.com>
 ;;; Copyright © 2017, 2018 Ben Woodcroft <donttrustben@gmail.com>
 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
 ;;; Copyright © 2017, 2018 Pierre Langlois <pierre.langlois@gmx.com>
@@ -1183,6 +1183,7 @@ changes.")
 (define-public sqlite
   (package
    (name "sqlite")
+   (replacement sqlite-3.26.0)
    (version "3.24.0")
    (source (origin
             (method url-fetch)
@@ -1219,9 +1220,29 @@ widely deployed SQL database engine in the world.  The source code for SQLite
 is in the public domain.")
    (license license:public-domain)))
 
+(define-public sqlite-3.26.0
+  (package/inherit sqlite
+    (version "3.26.0")
+    (source (origin
+              (method url-fetch)
+              (uri (let ((numeric-version
+                          (match (string-split version #\.)
+                            ((first-digit other-digits ...)
+                             (string-append first-digit
+                                            (string-pad-right
+                                             (string-concatenate
+                                              (map (cut string-pad <> 2 #\0)
+                                                   other-digits))
+                                             6 #\0))))))
+                     (string-append "https://sqlite.org/2018/sqlite-autoconf-"
+                                    numeric-version ".tar.gz")))
+              (sha256
+               (base32
+                "0pdzszb4sp73hl36siiv3p300jvfvbcdxi2rrmkwgs6inwznmajx"))))))
+
 ;; This is used by Tracker.
 (define-public sqlite-with-fts5
-  (package (inherit sqlite)
+  (package/inherit sqlite
     (name "sqlite-with-fts5")
     (arguments
      (substitute-keyword-arguments (package-arguments sqlite)
@@ -1230,7 +1251,7 @@ is in the public domain.")
 
 ;; This is used by Qt.
 (define-public sqlite-with-column-metadata
-  (package (inherit sqlite)
+  (package/inherit sqlite
     (name "sqlite-with-column-metadata")
     (arguments
      (substitute-keyword-arguments (package-arguments sqlite)
-- 
2.19.2

[Message part 10 (text/plain, inline)]

Cheers,
Alex

[signature.asc (application/pgp-signature, inline)]

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.